From patchwork Wed Feb  5 14:34:10 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 56706
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5A68FC02198
	for <webhook@archiver.kernel.org>; Wed,  5 Feb 2025 14:35:08 +0000 (UTC)
Received: from mail-wm1-f43.google.com (mail-wm1-f43.google.com
 [209.85.128.43])
 by mx.groups.io with SMTP id smtpd.web10.13240.1738766103754907028
 for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:04 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=fF7ve0Ea;
 spf=pass (domain: gmail.com, ip: 209.85.128.43,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wm1-f43.google.com with SMTP id
 5b1f17b1804b1-4361b0ec57aso69309675e9.0
        for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1738766101; x=1739370901;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=22MGEjVUnib3qBnu3OtOlTLrtmi4xoabRXyk8/fmWaw=;
        b=fF7ve0EaFklFqmaeNY+lglYQDo0nASOac+tkk9vAl6QVEe0AP7DJqo7eMmFFOGKvR4
         onjnaZkg0IsKqssdvjw0gTLSXeWvQ1nvlv6BhPRHAk6CzRoOOvAD4l/nhWfKRErq/rlP
         0YppPk3lZQoi74BFeO/S2FmNKcjfaeVXskXXex+peP0P0lkLzNYCZS8ldwXj7LcQvLkr
         n269KBXHkCo61PI3D59q8JHn/pCFHzzae6Eck023eEfgelkp3BuStUKMK3yU7A4gsFM5
         jmNiQdQ8d3zFkGHT23dZpsHgHNYI/jpSJzKjt4LpKQeELsHNbrcbR7esi9S9vfm8gR7m
         TWfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738766101; x=1739370901;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=22MGEjVUnib3qBnu3OtOlTLrtmi4xoabRXyk8/fmWaw=;
        b=GworXWirq1+VXgK9GOWlkI/ZG2EHCadLLw5V2644VtBvLse9+R+MbVI6wQPrKxaPjH
         GxbYHINlb4KbEyQjsyV2hVAQKX9p8QIdSZ8O7WNP4yREz8bqDze7cMMJhPCfyNPf9kaQ
         SD3K5aBJwzHBwCqVQC8XcT0Zn9o/vSMlbuUBzvfp0K4dpdz5gtv3R1rX9V6f+ry/EtwL
         EyDqONQ8EDGxGmvcC/dnmYCj3mhNJKw5el1+k1asQPgJz8JZt5KdxUC0PoeuA53w4Frc
         IIE0yoipfprlIhZ7HAwsvsAkJ6liWqwQ0+czuR19TTOtJAoluY8ZGydFdLPAc/Cw5G0y
         bW3g==
X-Gm-Message-State: AOJu0YyiNzNqfuyUIDma10Yn/HcLgJWHa8DiFThcKEJZ016rMvHEVvcG
	x5j5pu5PTKrwWAey47yRV6v4AJ1qWlw9S4uQhDw227QMjFaK5lcaeR9IO7v/
X-Gm-Gg: ASbGncv4kvk3/d+wYSQ8meaPPchEA+qQ9tFOjaSSmzZbg4KAliFgE76cXi/r/MA3Zr0
	8XXPEnmwhGX6bZGWKsdgyi0YbUEYMe+GZnZ/+0tdDeQjzcgUUaQEFAeJfO6spICsrmLkl5Wwl23
	8SkpW1Q5iB7iSJ7N9yGAahJ9eROKnZFsbTH3TPgXAruGlqnJJAPLyUQH9D70399YUCgv1tDovCX
	xrTOymsLZrSnXrzZRrMNlreg/5LGCSiqx6/Hl+NW/ootssYgKG3gVBtMx/xn7bUuBC5NcC7HDv2
	cnmqG+dBgsNLfuYGmioLBj5N7IOhexru4/hMq/ZABSrT
X-Google-Smtp-Source: 
 AGHT+IEkd8BTq32QEN4RziVEBUzY5xAF4o9dQxDNDyPd46OtV3SYrOrX1YtpcBzHpxligE48glTuAg==
X-Received: by 2002:adf:f1d2:0:b0:38d:b281:1b24 with SMTP id
 ffacd0b85a97d-38db48f2fa9mr1959225f8f.32.1738766101441;
        Wed, 05 Feb 2025 06:35:01 -0800 (PST)
Received: from localhost.localdomain
 ([2a04:cec0:10ef:d61d:4bb8:b29b:dacd:c52b])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-38c5c102bccsm18614600f8f.27.2025.02.05.06.34.59
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Feb 2025 06:35:00 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v3][OE-core 1/4] cve-update-db-native: restore
Date: Wed,  5 Feb 2025 15:34:10 +0100
Message-ID: <20250205143439.38233-2-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
References: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 05 Feb 2025 14:35:08 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/210850

Restore cve-update-db from kirkstone

Use cve-update-db-native.bb from OE 8c10f4a4dc12f65212576e6e568fa4369014aaa0

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 291 ++++++++++++++++++
 1 file changed, 291 insertions(+)
 create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 0000000000..e042e67b09
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,291 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
+
+python () {
+    if not bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_fetch() {
+    """
+    Update NVD database with json data feed
+    """
+    import bb.utils
+    import bb.progress
+    import shutil
+
+    bb.utils.export_proxies(d)
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.debug(2, "Recently updated, skipping")
+            return
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.note("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
+
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
+
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
+
+def update_db_file(db_tmp_file, d):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    from datetime import date
+    import urllib, gzip, sqlite3
+
+    YEAR_START = 2002
+    cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
+
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
+        total_years = date.today().year + 1 - YEAR_START
+        for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
+            bb.debug(2, "Updating %d" % year)
+            ph.update((float(i + 1) / total_years) * 100)
+            year_url = (d.getVar('NVDCVE_URL')) + str(year)
+            meta_url = year_url + ".meta"
+            json_url = year_url + ".json.gz"
+
+            # Retrieve meta last modified date
+            try:
+                response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
+            except urllib.error.URLError as e:
+                cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
+                bb.warn("Failed to fetch CVE data (%s)" % e)
+                import socket
+                result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+                bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
+                return False
+
+            if response:
+                for l in response.read().decode("utf-8").splitlines():
+                    key, value = l.split(":", 1)
+                    if key == "lastModifiedDate":
+                        last_modified = value
+                        break
+                else:
+                    bb.warn("Cannot parse CVE metadata, update failed")
+                    return False
+
+            # Compare with current db last modified date
+            cursor = conn.execute("select DATE from META where YEAR = ?", (year,))
+            meta = cursor.fetchone()
+            cursor.close()
+
+            if not meta or meta[0] != last_modified:
+                bb.debug(2, "Updating entries")
+                # Clear products table entries corresponding to current year
+                conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close()
+
+                # Update db with current year json file
+                try:
+                    response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
+                    if response:
+                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+                    conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
+                except urllib.error.URLError as e:
+                    cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                    bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                    return False
+            else:
+                bb.debug(2, "Already up to date (last modified %s)" % last_modified)
+            # Update success, set the date to cve_check file.
+            if year == date.today().year:
+                cve_f.write('CVE database update : %s\n\n' % date.today())
+
+        conn.commit()
+        conn.close()
+        return True
+
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
+
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
+    # Parse children node if needed
+    for child in node.get('children', ()):
+        parse_node_and_insert(conn, child, cveId)
+
+    def cpe_generator():
+        for cpe in node.get('cpe_match', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
+            if version != '*' and version != '-':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
+            elif version == '-':
+                # no version information is available
+                yield [cveId, vendor, product, version, '', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
+
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+
+def update_db(conn, jsondata):
+    import json
+    root = json.loads(jsondata)
+
+    for elt in root['CVE_Items']:
+        if not elt['impact']:
+            continue
+
+        accessVector = None
+        cveId = elt['cve']['CVE_data_meta']['ID']
+        cveDesc = elt['cve']['description']['description_data'][0]['value']
+        date = elt['lastModifiedDate']
+        try:
+            accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+            cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+        except KeyError:
+            cvssv2 = 0.0
+        try:
+            accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+            cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+
+        configurations = elt['configurations']['nodes']
+        for config in configurations:
+            parse_node_and_insert(conn, config, cveId)
+
+
+do_fetch[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"

From patchwork Wed Feb  5 14:34:11 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 56707
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 559C8C02194
	for <webhook@archiver.kernel.org>; Wed,  5 Feb 2025 14:35:18 +0000 (UTC)
Received: from mail-wr1-f44.google.com (mail-wr1-f44.google.com
 [209.85.221.44])
 by mx.groups.io with SMTP id smtpd.web11.13318.1738766114083330267
 for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:14 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=emKGyNbW;
 spf=pass (domain: gmail.com, ip: 209.85.221.44,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wr1-f44.google.com with SMTP id
 ffacd0b85a97d-38db0c06e96so1053981f8f.2
        for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1738766112; x=1739370912;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=qPUAHgbmxRJowWnByWQMHPf8LTBKwM52UjbDKXf9zKs=;
        b=emKGyNbWNl91Rf+UWzlQ8nMzaWztRnzmTncWz6A+oQ2rRDwYHxH32yvqNqUyrFjefi
         jz4BU5vunxQyWp9LKrVt2B24qKFQamdLcMLmD8YkiR98El9xyYex4zQyNllGleVC+c9D
         23lnpQQjTN1MUbWtdwnF+Qt42NfFvLNwfm13s/p2CZ565sJ2lm3rb+23mPwMtjsWpxDm
         HgetgRqtAdWoyU3S42qSu91g66WL+vtiVf0+CeYWTbIYd9nu6txTI6WjgtkUiC5GUvcx
         oxDD3k7xArd/e58hQ4gBlEH4tV3VeA1HfzhygfouTlYJwjgGHOkUCTmU+p3D/jffv+ht
         4ILA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738766112; x=1739370912;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=qPUAHgbmxRJowWnByWQMHPf8LTBKwM52UjbDKXf9zKs=;
        b=Be+MvVbygXYySgrMQYDnEED5vnkw4Mbph2G9ChWmN6ODAkxpIvf67D7H0roiTO0ggB
         5gfuoPoAsnpKDwLH/5yzgaOvgN8sIb6eJWCDqi0yBja6k24MnbS3yC3Dr4xrYcIJAIij
         SsAZuYbVZlX8NeUiALDskB0bdDpNS4U62b0/itoU2eZTJb0eyQhJO1iznblwHZS/eo+P
         NRUqzvhuy7+9OW3cxuOGA1Nvv2NOSG6eFXS8exAayCTSaB7Z3E2PvZXTypNiGEMh7qNg
         UxtMlC7rMRyIIlRqR0X9qUuyP6tPoFrAVJvBLDdYV8sGQ60LgSq5KAhvwu6Jym6rBajZ
         XNKg==
X-Gm-Message-State: AOJu0YwGbbtj/UdjMgnIep24YV2EOclNPubOaNmhfyJxcgvs7mNnPTzm
	x6xopJaHQS/IkDkmLgBesaQ5ryV10B97ACgLxGM/yXHn5O8HHEzQmbwU7S1s
X-Gm-Gg: ASbGncvhOGDd4Qn0hRNkOwN2YVqn5CBRvX62K7ZvR/VI0XZIOMfULJYsT1k1SPaQM/n
	T/CRbWaVxz7DOdL1CCCjTf4SsxPhiD0MEwh3/B1bczvx3sUoVzrQaLTkCdZsDA0nijabxp4JrOK
	MzjlXBKDLITXlgY8B4oLoh32eKVNnE8C7XuvGg0khMT/IWhew3LORpHiTKGL9B6DU0Qp2KsswsI
	pGr9mDzoONSjnywJpk62jWNwP5oqVay7Ov5J9HpehzDIoeJh/gPtdn0FOvx1qkuWI5FxpI6D5vP
	H3Ej3LAGwUkM/rjkE80ddKOG4p38pzv+pwXc8JT9xG0n
X-Google-Smtp-Source: 
 AGHT+IHoJt882LFgbvsS4yLGKGsnAFGZMkJU+cz0JHQKNohbL8HFw8GIbPXd4WWB49a9Fvh8JmvfJA==
X-Received: by 2002:a5d:64af:0:b0:38d:adcd:a062 with SMTP id
 ffacd0b85a97d-38db48d5f84mr2076797f8f.39.1738766111763;
        Wed, 05 Feb 2025 06:35:11 -0800 (PST)
Received: from localhost.localdomain
 ([2a04:cec0:10ef:d61d:4bb8:b29b:dacd:c52b])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-38c5c102bccsm18614600f8f.27.2025.02.05.06.35.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Feb 2025 06:35:11 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v3][OE-core 2/4] cve-update-db-native: update structure
Date: Wed,  5 Feb 2025 15:34:11 +0100
Message-ID: <20250205143439.38233-3-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
References: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 05 Feb 2025 14:35:18 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/210851

Update the database structure and tasks to fit the current YP master.
This means:
- add the unpack task
- update the database structure (CVSS, vector string)

However, the old feed does not include CVSS4

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 26 ++++++++++++++-----
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index e042e67b09..f16e79ff58 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -5,7 +5,6 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 inherit native
 
-deltask do_unpack
 deltask do_patch
 deltask do_configure
 deltask do_compile
@@ -21,6 +20,9 @@ CVE_DB_UPDATE_INTERVAL ?= "86400"
 # Timeout for blocking socket operations, such as the connection attempt.
 CVE_SOCKET_TIMEOUT ?= "60"
 
+CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK2/${CVE_CHECK_DB_FILENAME}"
+CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock"
+
 CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
 
 python () {
@@ -38,7 +40,7 @@ python do_fetch() {
 
     bb.utils.export_proxies(d)
 
-    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE")
     db_dir = os.path.dirname(db_file)
     db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
 
@@ -72,10 +74,16 @@ python do_fetch() {
         os.remove(db_tmp_file)
 }
 
-do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}"
 do_fetch[file-checksums] = ""
 do_fetch[vardeps] = ""
 
+python do_unpack() {
+    import shutil
+    shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE"))
+}
+do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}"
+
 def cleanup_db_download(db_file, db_tmp_file):
     """
     Cleanup the download space from possible failed downloads
@@ -183,7 +191,7 @@ def initialize_db(conn):
         c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
 
         c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
-            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+            SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
 
         c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
             VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -263,23 +271,29 @@ def update_db(conn, jsondata):
             continue
 
         accessVector = None
+        vectorString = None
+        cvssv2 = 0.0
+        cvssv3 = 0.0
+        cvssv4 = 0.0
         cveId = elt['cve']['CVE_data_meta']['ID']
         cveDesc = elt['cve']['description']['description_data'][0]['value']
         date = elt['lastModifiedDate']
         try:
             accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+            vectorString = elt['impact']['baseMetricV2']['cvssV2']['vectorString']
             cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
         except KeyError:
             cvssv2 = 0.0
         try:
             accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+            vectorString = vectorString or elt['impact']['baseMetricV3']['cvssV3']['vectorString']
             cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
         except KeyError:
             accessVector = accessVector or "UNKNOWN"
             cvssv3 = 0.0
 
-        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
-                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
 
         configurations = elt['configurations']['nodes']
         for config in configurations:

From patchwork Wed Feb  5 14:34:12 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 56709
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 53153C02192
	for <webhook@archiver.kernel.org>; Wed,  5 Feb 2025 14:35:28 +0000 (UTC)
Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com
 [209.85.128.41])
 by mx.groups.io with SMTP id smtpd.web11.13323.1738766119098398619
 for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:19 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=ResrOExh;
 spf=pass (domain: gmail.com, ip: 209.85.128.41,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wm1-f41.google.com with SMTP id
 5b1f17b1804b1-436281c8a38so48550355e9.3
        for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1738766117; x=1739370917;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=WueF30C+PWOTbexapza/hnoThXm3J6jt+zV9/jq2oqU=;
        b=ResrOExheSkddFxnGAmxGxgNF+KYJGKZU/YoRw1dKTgekM5Oz2FPWgJcrv2XUlGgLp
         7dIzNYOK0bl3K9upZM0YasPnkzCAGgGtOQ4WL8DaRRUdU6nwWyGVJqqY5X3pNZn74Pp9
         dx47G7Uuzs4mIrW7OnhK9wcDXhZWq2+x4KU3WvYHnFx2TpbW65WissQTuStgs4jpiMYK
         I0i83QCT9YqQdJc/g7dF4g3CrTp5a6UoW9B5stLaXtlwXTAqFTgsL27ewDKS6ntfPmxk
         gJMdo+P3W6Vgyg7CB1vhSPUlvCaLAqJvOLb4q7bstCkzKzSgYy1BncrO98IRke0LWRFY
         TJgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738766117; x=1739370917;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=WueF30C+PWOTbexapza/hnoThXm3J6jt+zV9/jq2oqU=;
        b=Q5o1jrf7OwukfJ/8mcGB2LMBasZe9tHoEoWuYs37uKZspveS2NQZMyxTMUZp+tYdDi
         /o3nebVXGDgJKLHhVAEKgrU2wDEg+XgVtOT2iuaHTPuKA/W4tK9AJrX99e6ZZuTwc4bT
         tsGB/bEuPfDiRpOSU/Q3r7KMXPss+kY4Orv/spL/59xS0Z9FZLerQQR5ZdQT4rLNvEH/
         wBKxlBmGIJPBNUVTkA0FNQvlpieXak+SSoIocWtfLNXvXv2ucLfb3jxsnVi/HSWrfEDg
         BWt93m9fAUVOnJ9Y+8uIaf7eVvEEzFOHwFDjA1OM3qtbzclpY6MrwkEsM5PEFy9LY6//
         heIg==
X-Gm-Message-State: AOJu0Yy8+3VsyveB3mPiBbKWJUOXtI6MshGKixa5yJeWMLsEbWj5LrJp
	+Ry9POI688MtDHbTEbNle3fu8WQWL9p50teedxCOmPSJiuSGKYf1s7RuxTD9
X-Gm-Gg: ASbGnctVUWphxrdnY/PZ//A7CHS4nVgbZkn0fYt8kHiMChILMWk7C02QLfDxBv68Orb
	H97RcpxXPl+EDz/Wp2ZxwiKNe5IrTf4V636o9wRFNrVvHHUgx+BCbPVcV/VWJ7uilYxvzHH3DIs
	PKLqPJULx3Erb0zHZIU05ggXU3iEz0fUQk5YfALDhbGALt3odW3w89XF+G3HL5qYeHF2JxtjNyp
	VKL2lcuqMzyCc+6jmP9Ag6Mk3jhoLj4SGqm6o1fO2UNBULk8qX6M1EFcvtt9rhdqtEDWsCJQz1s
	Eqs1xwQYnXUAFgg8Nf0b1StCkkqmjpaOUmZD3OuL6QHi
X-Google-Smtp-Source: 
 AGHT+IEtFLGuTObvPwMxva4SxgbD+sbI1BL1h7HwjBnOIiBuRP7N/GEZlGlx2NaVeDWYI47Tv4sMlw==
X-Received: by 2002:a05:6000:1acf:b0:38d:a945:66ea with SMTP id
 ffacd0b85a97d-38db4910399mr2004438f8f.50.1738766116794;
        Wed, 05 Feb 2025 06:35:16 -0800 (PST)
Received: from localhost.localdomain
 ([2a04:cec0:10ef:d61d:4bb8:b29b:dacd:c52b])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-38c5c102bccsm18614600f8f.27.2025.02.05.06.35.14
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Feb 2025 06:35:16 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v3][OE-core 3/4] cve-update-db-native: add the fkie source
Date: Wed,  5 Feb 2025 15:34:12 +0100
Message-ID: <20250205143439.38233-4-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
References: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 05 Feb 2025 14:35:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/210852

Add support for FKIE-CAD reconstruction of NVD feed from
https://github.com/fkie-cad/nvd-json-data-feeds

We download this feed directly from github releases.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 126 ++++++++++++++++--
 1 file changed, 113 insertions(+), 13 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index f16e79ff58..b889c9e6a7 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -12,6 +12,8 @@ deltask do_install
 deltask do_populate_sysroot
 
 NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+FKIE_URL ?= "https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-"
+
 # CVE database update interval, in seconds. By default: once a day (24*60*60).
 # Use 0 to force the update
 # Use a negative value to skip the update
@@ -109,6 +111,30 @@ def cleanup_db_download(db_file, db_tmp_file):
     if os.path.exists(db_tmp_file):
         os.remove(db_tmp_file)
 
+def db_file_names(d, year, is_nvd):
+    if is_nvd:
+        year_url = d.getVar('NVDCVE_URL') + str(year)
+        meta_url = year_url + ".meta"
+        json_url = year_url + ".json.gz"
+        return json_url, meta_url
+    year_url = d.getVar('FKIE_URL') + str(year)
+    meta_url = year_url + ".meta"
+    json_url = year_url + ".json.xz"
+    return json_url, meta_url
+
+def host_db_name(d, is_nvd):
+    if is_nvd:
+        return "nvd.nist.gov"
+    return "github.com"
+
+def db_decompress(d, data, is_nvd):
+    import gzip, lzma
+
+    if is_nvd:
+        return gzip.decompress(data).decode('utf-8')
+    # otherwise
+    return lzma.decompress(data)
+
 def update_db_file(db_tmp_file, d):
     """
     Update the given database file
@@ -119,6 +145,7 @@ def update_db_file(db_tmp_file, d):
 
     YEAR_START = 2002
     cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+    is_nvd = d.getVar("NVD_DB_VERSION") == "NVD1"
 
     # Connect to database
     conn = sqlite3.connect(db_tmp_file)
@@ -129,9 +156,7 @@ def update_db_file(db_tmp_file, d):
         for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
             bb.debug(2, "Updating %d" % year)
             ph.update((float(i + 1) / total_years) * 100)
-            year_url = (d.getVar('NVDCVE_URL')) + str(year)
-            meta_url = year_url + ".meta"
-            json_url = year_url + ".json.gz"
+            json_url, meta_url = db_file_names(d, year, is_nvd)
 
             # Retrieve meta last modified date
             try:
@@ -140,7 +165,7 @@ def update_db_file(db_tmp_file, d):
                 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
                 bb.warn("Failed to fetch CVE data (%s)" % e)
                 import socket
-                result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+                result = socket.getaddrinfo(host_db_name(d, is_nvd), 443, proto=socket.IPPROTO_TCP)
                 bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
                 return False
 
@@ -168,7 +193,7 @@ def update_db_file(db_tmp_file, d):
                 try:
                     response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
                     if response:
-                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+                        update_db(d, conn, db_decompress(d, response.read(), is_nvd))
                     conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
                 except urllib.error.URLError as e:
                     cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
@@ -200,16 +225,22 @@ def initialize_db(conn):
 
         c.close()
 
-def parse_node_and_insert(conn, node, cveId):
+def parse_node_and_insert(conn, node, cveId, is_nvd):
     # Parse children node if needed
     for child in node.get('children', ()):
-        parse_node_and_insert(conn, child, cveId)
+        parse_node_and_insert(conn, child, cveId, is_nvd)
+
+    def cpe_generator(is_nvd):
+        match_string = "cpeMatch"
+        cpe_string = 'criteria'
+        if is_nvd:
+            match_string = "cpe_match"
+            cpe_string = 'cpe23Uri'
 
-    def cpe_generator():
-        for cpe in node.get('cpe_match', ()):
+        for cpe in node.get(match_string, ()):
             if not cpe['vulnerable']:
                 return
-            cpe23 = cpe.get('cpe23Uri')
+            cpe23 = cpe.get(cpe_string)
             if not cpe23:
                 return
             cpe23 = cpe23.split(':')
@@ -260,9 +291,9 @@ def parse_node_and_insert(conn, node, cveId):
                     # Save processing by representing as -.
                     yield [cveId, vendor, product, '-', '', '', '']
 
-    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator(is_nvd)).close()
 
-def update_db(conn, jsondata):
+def update_db_nvdjson(conn, jsondata):
     import json
     root = json.loads(jsondata)
 
@@ -297,8 +328,77 @@ def update_db(conn, jsondata):
 
         configurations = elt['configurations']['nodes']
         for config in configurations:
-            parse_node_and_insert(conn, config, cveId)
+            parse_node_and_insert(conn, config, cveId, True)
+
+def update_db_fkie(conn, jsondata):
+    import json
+    root = json.loads(jsondata)
+
+    for elt in root['cve_items']:
+        if not 'vulnStatus' in elt or elt['vulnStatus'] == 'Rejected':
+            continue
+
+        if not 'configurations' in elt:
+            continue
+
+        accessVector = None
+        vectorString = None
+        cvssv2 = 0.0
+        cvssv3 = 0.0
+        cvssv4 = 0.0
+        cveId = elt['id']
+        cveDesc = elt['descriptions'][0]['value']
+        date = elt['lastModified']
+        try:
+            for m in elt['metrics']['cvssMetricV2']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv2 = m['cvssData']['baseScore']
+        except KeyError:
+            cvssv2 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV30']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv3 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV31']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv3 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV40']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv4 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv4 = 0.0
 
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
+
+        for config in elt['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId, False)
+
+
+def update_db(d, conn, jsondata):
+    if (d.getVar("NVD_DB_VERSION") == "FKIE"):
+        return update_db_fkie(conn, jsondata)
+    else:
+        return update_db_nvdjson(conn, jsondata)
 
 do_fetch[nostamp] = "1"
 

From patchwork Wed Feb  5 14:34:13 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 56708
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 541AFC02194
	for <webhook@archiver.kernel.org>; Wed,  5 Feb 2025 14:35:28 +0000 (UTC)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
 by mx.groups.io with SMTP id smtpd.web11.13328.1738766124879269805
 for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:25 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=CHL1RNIo;
 spf=pass (domain: gmail.com, ip: 209.85.221.48,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-38daf14018eso1314545f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Wed, 05 Feb 2025 06:35:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1738766123; x=1739370923;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YJ7sNtiDCiqs+PM/kP6I5gdURYbIXXqI8SshTgYSEC0=;
        b=CHL1RNIormZ0ShmrSEl7olsoKKc5nnipCIfdq8CU+RO5DoOggi0soE/RlOnUGmfBKW
         SSefW+OBCv/ZgGb8Ko0ch/wfybMHbjrjW/rvLgrKcEci+lWI1kFUsOhybiPqDzddB3/G
         7K5SbwWBepQsxQbB2c31rwIbh6tAFktElQqX0/Y0jskqp78//qAWzY1QUhkQf0h14AHY
         5Dy6fIBlRMSMu8iMmExIj/s6phRv7Gj1lJxz24qZsQqBnDnGEolK44KSQroirqR35Rq1
         V/aA/EKflgN3lM+k+0uZSmnvdW0KU9BRceO1u8q3De2BGHiSPu/qLWHdLrSqbDd+Te7K
         kF7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1738766123; x=1739370923;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YJ7sNtiDCiqs+PM/kP6I5gdURYbIXXqI8SshTgYSEC0=;
        b=BNYZco877tFo4NzYeH2Tdt2/RJSkmKzKKXjzWHbNDhYWv/xSzykDgke+tgVuZcHYO3
         juXGwXsrz6HRBjgxVohKkOQEwtmkPyIP826c4gL4pqAylP9GjBh0CBanMUP5m7tnKvvH
         +H6djBMr2PysHWGiKaI01G7soFktExCpt/HZrl+OIYaZ7DkrXAUz3bwwtMnLFfnMTmSE
         Wg3h7j8DNsSddou4IIHO4gff/Zu8lBgE6FvH2Kn1ZUrkZ46hBuxHX1+mROfUWkNgWaoe
         NExCnRby+yWtm9eaiEeYEKACNFYiov/RH3dPC8erlmRETBlfWlEDeBv+cMGbVVpTJP5T
         0T1w==
X-Gm-Message-State: AOJu0YwFqrWd8l6kAoA9QjqtAnjQBdyDVBs5GhsJR7BKXI1eZRslYsWy
	AI5qUkSfR5dLPMFAy5coSqtslfitmhoTftcfbevbB501sBY/MTnYYMEWodpm
X-Gm-Gg: ASbGncs/em9t8HTT2WZqmv7NQXTJ6FLbJ7RB6cSEC0iIj1D99S4bJScL7TrplQhFrBI
	HCT1VRQ6uwn3JZrWyrpyOHg2m3EuYTRF8fA/Q6z4qN7LkhmJ/NbkGQSQPZxAOCchYVnbxIOVa3q
	MmY/e4NXnJFzRE/9m0p+kv2btggcjKWVGkZmvpdEWvFzmuTPreJ6+p4+4N4k/mblE4oqLbx+f1/
	gYxwG4nZKD+Jpbjr6+Ugnn2p2H/8J3R2id1SsDglIlu/O/4kanyMNvk6Hy+Cij4ylM485UBwcwj
	GMwsD0i3fRX1u/lD3N14yjIpbn99URY+i4Y3bGmsDIUX
X-Google-Smtp-Source: 
 AGHT+IGrbsFAP10tPxfGz3IM6VDsiQQlyC4DpW9gpujScMyhQDGwL7gTCkG3SkaNTZNucvN6eQlX5w==
X-Received: by 2002:a5d:5f4d:0:b0:385:ec6e:e87a with SMTP id
 ffacd0b85a97d-38db493f0famr2639072f8f.43.1738766122807;
        Wed, 05 Feb 2025 06:35:22 -0800 (PST)
Received: from localhost.localdomain
 ([2a04:cec0:10ef:d61d:4bb8:b29b:dacd:c52b])
        by smtp.gmail.com with ESMTPSA id
 ffacd0b85a97d-38c5c102bccsm18614600f8f.27.2025.02.05.06.35.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 05 Feb 2025 06:35:22 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v3][OE-core 4/4] cve-check: allow feed choice
Date: Wed,  5 Feb 2025 15:34:13 +0100
Message-ID: <20250205143439.38233-5-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
References: <20250205143439.38233-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Wed, 05 Feb 2025 14:35:28 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/210853

Allow choice of one of three feeds and update task dependencies
accordingly. All feeds contain data from NVD and are stored in
different files.

Set the NVD_DB_VERSION variable to choose feed:
NVD2 (default) - the NVD feed with API version 2
NVD1 - the NVD JSON feed (deprecated)
FKIE - the FKIE-CAD feed reconstruction

In case of malformed database feed name, we default to NVD2 and show
an error.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 meta/classes/cve-check.bbclass | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6e10dd915a..90097cfde8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,7 +31,12 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
-CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
+# Possible database sources: NVD1, NVD2, FKIE
+NVD_DB_VERSION ?= "NVD2"
+
+# Use different file names for each database source, as they synchronize at different moments, so may be slightly different
+CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}"
+CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}"
 CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -114,6 +119,11 @@ python () {
                 d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
         else:
             bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+
+    nvd_database_type = d.getVar("NVD_DB_VERSION")
+    if nvd_database_type not in ("NVD1", "NVD2", "FKIE"):
+        bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2")
+        d.setVar("NVD_DB_VERSION", "NVD2")
 }
 
 def generate_json_report(d, out_path, link_path):
@@ -182,7 +192,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
+do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {